1. Field of the Invention
The present invention generally relates to data processing and more particularly to methods of protecting a database from inappropriate or unauthorized access.
2. Description of the Related Art
Databases are computerized information storage and retrieval systems. A relational database management system is a computer database management system (DBMS) that uses relational techniques for storing and retrieving data. The most prevalent type of database is the relational database, a tabular database in which data is defined so that it can be reorganized and accessed in a number of different ways.
Regardless of the particular architecture, in a DBMS, a requesting entity (e.g., an application or the operating system) demands access to a specified database by issuing a database access request. Such requests may include, for instance, simple catalog lookup requests or transactions and combinations of transactions that operate to read, change and add specified records in the database. These requests are made using high-level query languages such as the Structured Query Language (SQL). Illustratively, SQL is used to make interactive queries for getting information from and updating a database such as International Business Machines' (IBM) DB2, Microsoft's SQL Server, and database products from Oracle, Sybase, and Computer Associates. The term “query” denominates a set of commands for retrieving data from a stored database. Queries take the form of a command language that lets programmers and programs select, insert, update, find out the location of data, and so forth.
One significant issue in the context of databases is security. Databases often contain confidential or otherwise sensitive material which require a degree of security to be protected from access. For example, medical records are considered highly personal and confidential. As such, access to medical records is typically restricted to selected users. To this end, conventional database management systems may implement user profiles which specify a level of authority. Whether a user may access some particular data will depend upon the user's level of authority specified in their respective profile.
However, the foregoing approach is highly inflexible and static. In practice, such an approach may prevent users from accessing a broader range of data than is desirable. As a result, the effectiveness of a database may be substantially limited. On the other hand, if security is too relaxed sensitive data may be compromised. What is needed is a balance of data accessibility and security.
To illustrate the shortcomings of conventional databases, consider, for example, a medical database in which the only results users are permitted to see are clinic numbers, in order to ensure anonymity of patients having records in the database. A user may still be able to determine the identity of patients with a fair degree of certainty by issuing a series of carefully crafted queries using information already known to the user. Such a process is referred to herein as query union analysis. The following is an illustrative series of queries designed to identify a particular individual according to a clinic number (which is an identifier uniquely identifying an individual) and a number of unique patient records that each query returns:
QueryResultsPeople diagnosed with Alzheimer's in 19981200People married and living in California6000People living between the ages of 70 and 8014,000People with clinic visits in 1999 and 2001,6000but not in any other years
Taken independently, each of the foregoing queries returns a reasonable number of results. Collectively, however, the number of results which satisfy each of the conditions will be significantly smaller, perhaps only one person. Having determined a clinic number for one individual, a user may run any query that returns clinic numbers and any other information, and identify which information corresponds to the one individual.
The foregoing is merely one example of how users may exploit conventional databases. A variety of other subversive techniques may be used to bypass security mechanisms in place to protect data contained in databases.
Therefore, there is a need for improved security mechanisms for databases.